From my understanding of hashing in general, one changed character any place can throw the whole hash into a different ballpark... and that got me thinking... Is sanitizing a password being given to PHPass a good idea? If at some future PHP version they decide to change what is escaped with their sanitization functions, and someone's password includes one of the newly escaped characters, that would throw their hash off and they could never get back in (short of a reset).
I realize that the potential security risk outweighs the inconvenience of a few password resets, but I am still curious on this point. Is this a legitimate concern?
I don't see why you need to sanitize a password, or most data for that matter. You should sanitize your data to make unsafe uses safe (like reading from a user specified file). Other than that, everything else should be handled by htmlentities($data) when printing it, or mysql_real_escape_string($data) for use in MySQL queries. There is never a need to sanitize data that is never visible or never used in unsafe ways (that is sanitize data as in making it safe)... it should be escaped.
So, don't sanitize, escape where appropriate... like when printing or querying.